Another Chrome and Edge exploit published online as browser makers deal with patch gap issues
For the second time this week, a security researcher has published proof-of-concept (PoC) code that can exploit and run malicious code inside Chromium-based browsers like Chrome, Edge, Vivaldi, and Opera.
The code, published earlier today on GitHub, exploits a vulnerability in the V8 JavaScript engine that was patched in the V8 source code but has not yet been integrated into the Chromium open-source browser codebase and all the Chromium-based downstream browsers.
another chrome 0dayhttps://t.co/QJy24ARKlU
— frust (@frust93717815) April 14, 2021
Just here to drop a chrome 0day. Yes you read that right.
The researcher who published the exploit for this security flaw today did not respond to an interview request; however, it is believed that they crawled the V8 changelog for fixes and put together the PoC code for one of these security flaws.
This is the exact same technique that Indian security researcher Rajvardhan Agarwal used over the weekend to develop a PoC exploit for a V8 vulnerability that was used during the Pwn2Own hacking contest last week.
Google released patches on Tuesday to fix the Pwn2Own vulnerability, while Microsoft released fixes for Edge earlier today.
A Google spokesperson did not respond to a request for comment sent earlier today inquiring about the new exploit published today. A source in the Edge team told The Record that patches for this new exploit are being worked on and will be available soon.
Just like the first proof-of-concept code released on Monday, this second PoC is also only half of an exploit chain. The exploit still required a second bug to escape the browser sandbox — a security protection that prevents malicious code from reaching the underlying OS — researchers Mike Gualtieri, John Jackson, and Sick Codes told The Record earlier today after we asked them to review the code.
However, if coupled with a sandbox escape or used against an app that uses headless/embedded versions of Chromium browsers, the exploit would allow threat actors to take over vulnerable systems via a classic buffer overflow vulnerability.
Really cool proof of concept, runs arbitrary code... but only when the sandbox is disabled?
— Sick.Codes (@sickcodes) April 14, 2021
Who runs Chrome without the Sandbox on though? Oh wait, nodejs does... https://t.co/phd43Y91pw pic.twitter.com/t0LWZk6IBP
But while both exploits target vulnerabilities in the Chromium V8 JavaScript engine component, they also have another thing in common, namely that the root cause is the same and is something called a patch gap.
This refers to the time that passes since a bug is patched in an open-source component (V8, in this case) and until the fix reaches downstream products (Chrome, Edge, Vivaldi, etc.).
In previous years, the patch gap window in Chrome had been usually at six weeks, which was the time between major releases of the Chromium project that integrated security fixes.
Due to research published in April and September 2019 that exposed this problem and explained how the patch gap could be used to attack Chrome users, Google cut its patch gap to 15 days by agreeing to release security fixes once every two weeks.
The two PoC exploits published this week (for V8 security flaws that had already received fixes) show that the patch gap needs to be reduced further, something that Chrome security engineers had already considered last year but had yet to implement.
Catalin Cimpanu
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.